Is Request.getHeader(“host”) vulnerable?Host header can result in stored XSS and not in reflective XSS (unless you are trying to XSS yourself). Server processing your request doesn't need to have the same hostname as the host you sent your request to. So you can a request to host a with host header set to host b. But in most scenarios you will only be affecting yourself and not anyone else unless developer have made a mess in the code and there is some persistence of host header which will somehow be used for some other users.

Securing an API for mobile accessYou already got many detailed answer..so I am not going to write another one.. simple solution- Ask mobile based users to authenticate once using a username password.. generate a authentication token at server ( keep a copy with you associated with username).. store the token on mobile and use this token in further communications... you can make the token for always or limited time based on your requirements... there are still risks around lost device etc but still better than embedding credentials in code... Disclaimer : This is not most secure solution just better than current situation

May18

comment

Does vulnerability exist when using XHR with GET method and custom anti-CSRF HTTP header?@AndreyBotalov even if it doesn't appear in URL it will be logged by web server and proxy server ... along with all your params. And issues 3 : whatever you send to client is wide exposed one way or other... view source , check javascript, intercept own request there are numerous ways. You really need to get your fundamentals right before calling the issues irrelevant ...